EINSTEIN
Overview EINSTEIN is a system to detect and report network intrusions. It supports Federal agencies' efforts to protect their computer networks. EINSTEIN monitors participating agencies' network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information at agency gateways, EINSTEIN gives government analysts and participating agencies a big-picture view, synthesized of potentially malicious activity across Federal networks. EINSTEIN helps identify configuration problems, unauthorized network traffic, network backdoors, routing anomalies, network scanning activities, and baseline network traffic patterns. It enables rapid detection of cyber attacks affecting agencies and provides Federal agencies with early incident detection. One limit on Einstein is that it has to have seen and analyzed the malicious traffic before, rather than being able to identify novel malicious traffic at first encounter — EINSTEIN can only block known threats. Background Before EINSTEIN was introduced, federal agencies reported cyber threats to the Department of Homeland Security (DHS) manually and on an ad hoc basis.Department of Homeland Security, Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 3 (full-text). It was usually done after the agency systems were affected by the attack. To remedy this, DHS, in collaboration with the National Security Agency (NSA), created EINSTEIN. EINSTEIN's mandate derived from a combination of statutes, presidential directives, and agency memoranda. The first mandates for EINSTEIN came in 2002 with the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7.Id. at 1. In 2007, the Office of Management and Budget required all federal executive agencies to develop a comprehensive plan of action to defend against cyber threats.Office of Management and Budget, Memorandum for the Heads of Executive Departments and Agencies: Implementation of Trusted Internet Connections (TIC) (OMB Memorandum M-08-05) (Nov. 20, 2007). Coinciding with these statutory and administrative directives, DHS and NSA launched EINSTEIN in three phases, each increasingly more sophisticated than the last. Developments EINSTEIN 1.0 Department of Homeland Security rolled out EINSTEIN 1.0 in 2004 to automate the process by which federal agencies reported cyber threats to the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of DHS's cybersecurity division.Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 4. Under EINSTEIN 1.0, federal agencies voluntarily sent "flow records" of Internet network activity to DHS so it could monitor the Internet traffic across the federal .gov domain. These flow records included basic routing information such as the IP addresses of the connecting computer and the federal computer connected to.Id. at 6-7. US-CERT used this information to detect and mitigate malicious activity that threatened federal networks. This information was shared with both public and private actors on the DHS website.See http://www.us-cert.gov/cas/techalerts/ for an example of cybersecurity alerts provided to the public. EINSTEIN 2.0 In an effort to upgrade EINSTEIN's capabilities, DHS launched EINSTEIN 2.0, which is capable of alerting US-CERT of malicious network intrusions in near-real time.Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 1. Sensors installed at all federal agency Internet access points make a copy of all network activity coming to and from federal networks, including addressing information and the content of the communication.Id. at 9. For more information on intrusion detection systems, see NIST Special Publication 800-94. These data are later scanned for the presence of "signatures," patterns that correspond to a known threat, such as denial of service attacks, network backdoors, malware, worms, Trojan horses, and routing anomalies.Id. at 9-5. The system triggers an alert when it senses malicious activity. All the data corresponding with the trigger, including the content of the communication, are saved.Id. at 10. Personnel at US-CERT then analyze the stored messages and act accordingly. EINSTEIN 3 In 2010, DHS began testing EINSTEIN 3 on one federal agency.According to the Department of Homeland Security, the name of the agency is classified. Department of Homeland Security, Privacy Impact Assessment: Initiative Three Exercicse, at 3 (2010) (full-text). In addition to detecting cyber threats, this newest iteration also is designed to block and respond to these threats before any harm is done.Id. at 3. US-CERT is also testing the ability of EINSTEIN 3 to provide real-time information sharing with other federal agencies and the NSA.Id. at 3. References Source * Cybersecurity: Selected Legal Issues, at 14-15. See also * EINSTEIN and the Fourth Amendment * EINSTEIN sensor * Privacy Compliance Review of the EINSTEIN Program Category:Data Category:Security